The Importance of the Indexed Tag for Third Party Tools
Recently, Hosho Group performed an audit of the BlitzPredict Token Contract. The final version of the contract passed full validation from our static analysis, test suite, and manual review. However, upon the opening of their public sale, users reported issues of being unable to see their tokens (BPZ), and an investigation ensued.
We were able to quickly confirm that the tokens were in fact being issued correctly. Those who had purchased tokens could verify their token balances by manually loading the JSON interface for the contract into a wallet interface and executing the
balanceOf function with their Ethereum address as the owner.
The question then became: “Why were third party tools such as EtherScan not showing the balances?” With more digging, our team discovered that those large data handlers would only track token balances if the indexed tag was put onto the Transfer and Approve events for the addresses. This feature of an event generates an index on the database that stores the block data.
Both static analysis tools and humans are imperfect and, in this case, a lot of panic resulted from investors not being able to use the tools they trust to show their token balances. The BlitzPredict team quickly updated the smart contract, which our team has audited. This new version, which will be released soon, will allow users to view their token balances and include all those who have already purchased them.
For each contract that is audited, Hosho will not only verify that the event exists and returns the correct data, but verify whether it’s in an indexed or non-indexed state. This data is available inside of the instanced version of the contract as processed by Truffle. It was unfortunate that this issue slipped through our process but we see it as an opportunity to improve as the number of third party tools that people rely on grows. We look forward to conversations around how to effectively manage outside tools that will interact with our audited contracts. Lastly, we thank the BlitzPredict team for being understanding with us and responsive to their users and investors.